The LastPass hack appears to be worse than first thought. The attackers were able to copy a backup of customer vault data, according to the CEO of LastPass. If the attackers can find a way to guess a user's master password, they will be able to access users' entire collection of passwords and other data stored with LastPass.
Toubba warned it would be difficult to brute force guess master passwords for customers who use the company's default settings. It could take attackers millions of years to crack those codes. LastPass doesn't think it should have access to users' passwords.
Users with weak master passwords may not be reassured by that reassurance. In those cases, LastPass advised users to change their passwords on all the websites they have stored in order to avoid a long day of account resets. Even the strongest passwords could be at risk if they were used on another site that had been hacked. Dark web markets have a lot of hacked passwords. Affected LastPass customers may find themselves awash in annoyingPhishing attempts trying to trick them into handing over their keys to the kingdom
In addition to the passwords, Toubba said the stolen vault data includes, "fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form- filled data." A user's visit to a site could be used to create more convincingPhishing campaigns.
LastPass did not reply immediately.
This is just as bad as it gets for a company that collects and protects passwords in one place. The attacks were disclosed in a LastPass post. The company said at the time that the attacker was able to access certain elements of customers' information. The company said that no customer passwords were affected by the incident, but as we now know, that's not true.
This most recent hack seems to have been made possible by a previous incident that happened just six months ago. The company says the attacker may have stolen source code and technical information from its environment and used it to target an employee to get their credentials.
Password managers are becoming a security necessity in a digital world that requires users to have many credentials. Password manager sites are some of the most mouth watering targets for bad actors because of the high concentration of sensitive information. If the findings were available, LastPass should have let the customers know.